By default the primary configuration file for the SSH daemon should be located at /etc/ssh/sshd_config.
Lines beginning with a '#' will be treated by the daemon as comments.
Configuration lines are of the form: [OptionName] [[option] ...]
Basic Configuration Security
In a basic configuration there are several options that you should set to facilitate better security practices:
- This will prevent the root user from logging in remotely. In order for a user to acquire remote access to your system remotely, he or she will first have to acquire access as a non-root user who is permitted to log in remotely. A logged-in, remote, non-root user must then use a command such as sudo or su to promote himself or herself to the root user. This practice ensures that a remote attacker must discover not one, but two passwords in order to acquire remote root access, if at all: a user permitted to login remotely and escalate himself or herself to root, and the password of the root user to effect this promotion.
SSH to use Protocol 2 only
- There are many floors in using the protocol 1 for the sshd suite, there are many automated rootkits out there, just google it for more information. Find the line #Protocol 2, 1 and change it to Protocol 2
AllowUsers [[user] ...]
- This will ensure that only users you explicitly grant permission will be allowed to login remotely, and will help you keep track of which users you presently permit remote login. Multiple users may be specified, each seperated by a space.
- By default the SSH daemon will listen on port 22. You may wish to change this to an alternative, non-standard port. Using an alternative port will make it more difficult for a potential attacker or malicious user attempt to communicate with the SSH daemon without first either monitoring traffic or executing a port scan against the target machine. If you have taken precautions on your network against traffic monitoring and port scanning, it becomes more likely that you will be alerted to the presence and intent of the potential attacker.
- Consider putting ssh on a port number higher than 1024, this will prevent typical scans (such as a standard nmap scan) picking up ssh.
- A server may have more than one IP address attached to it, i.e. using a range such as 192.168.1.5-192.168.1.10
- If we configure SSH to ListenAddress we ensure that SSH can only be accessed by only on IP address from that range.
- OpenSSH website (www.openssh.org)